Using Authelia As An Authentication Provider With Traefik 2 And Docker-Compose
Requirement
Provide authentication via LDAP to various services running behind Traefik 2 as a reverse proxy using docker-compose to run service containers.
Implementation
Setting up and running the service is straightforward like running any other docker-compose service. If you are comfortable with tackling the LDAP configuration for Authelia then this should be very straightforward for you.
Concept
The way this works with Trafik is that you set up a service with Authelia and in addition to the regular traefik labels you will provide for a service to be available at an endpoint, you add another label as follows to configure it as a middleware for traefik.
traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://auth.domain.net/
auth.domain.net
is whatever endpoint you have configured traefik to run Authelia.
For any service (I'll call this a "protected container") that you wish to use implement authentication for you will:
- Add
traefik.http.routers.sap.middlewares=authelia
label to that container's configuration - Ensure that Authelia middleware is running otherwise that endpoint will provide a 404 error.
- Configure the Authelia container to be on the same docker network as the protected container, usually the same docker network as traefik.
- Ensure that Authelia's
config.yml
file has access control rules configured as required for the domain/endpoint the protected container is served at.
These are some rough notes to get things started. I intend to update this post with more specific details when I get a chance. If you need help, let me know in the comments below and that will be a prompt for me to revisit this and provide more specific details. This is how I assess demand for content that I will expand on further.